SAP Cyber Threat Intelligence Report – November 2016

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.

Below are the details of the SAP vulnerabilities, which were identified by ERPScan researchers.

A Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5). Update is available in SAP Security Note 2358972. An attacker can exploit a denial of service vulnerability to terminate a process of a vulnerable component. Thus, nobody will be able to use the service, which, in its turn, affects business processes, system downtime, and business reputation of a victim company.

An Information Disclosure vulnerability in SAP System Landscape Directory (CVSS Base Score: 5.3). Update is available in SAP Security Note 2342940. An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc), which will help to learn about a system and to plan other attacks.

An SQL Injection in SAP Hybris E-commerce Suite VirtualJDBC. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.
SAP stated that "Due to the fact that this issue is inside Hybris cloud we don’t provide a security note."

About Denial of Service vulnerability in SAP Message Server HTTP

SAP has a set of services which should not be accessible from the Internet, as they are designed only for internal use or require additional network filtration before being directly exposed to the Internet. SAP Message Server that is used for communication between elements of a Java cluster is one of such services. It is often used as a load balancer for client GUI connections.

SAP Message Server HTTP is an HTTP part of Message Server. The DoS vulnerability (related SAP Note 2358972) allows an attacker to prevent legitimate users from accessing the service by crashing it.

We identified that there are almost 4000 (namely 3783) SAP Message Servers HTTP available online.

The most critical issues closed by SAP Security Notes November 2016 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

2357141: SAP Report for Terminology ExportI component has an OS command execution vulnerability (CVSS Base Score: 9.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.

2371726: SAP Text Conversion component has an OS command execution vulnerability (CVSS Base Score: 9.1). An attacker can use OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with the same privileges as the service that executed the command. An attacker can access arbitrary files and directories located in a SAP server file system including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.

2366512: SAP Software Update Manager component has an Information Disclosure vulnerability (CVSS Base Score: 7.5). An attacker can use an Information disclosure vulnerability to reveal additional information, which will help them to learn about a system and to plan further attacks. During upgrade of SAP NetWeaver based products the MSSQL database shadowuser credentials are stored in logfiles in plain text. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities as well as attack signatures are already available in ERPScan Security Monitoring Suite.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.